diff --git a/modules/net-cloudnat/README.md b/modules/net-cloudnat/README.md
index b3848ee00..1a2b143a1 100644
--- a/modules/net-cloudnat/README.md
+++ b/modules/net-cloudnat/README.md
@@ -51,13 +51,22 @@ module "nat" {
},
{
# primary range only
- self_link = "projects/${var.project_id}/regions/${var.region}/subnetworks/net-1"
- all_ranges = false
+ self_link = "projects/${var.project_id}/regions/${var.region}/subnetworks/net-1"
+ all_ranges = false
+ primary_range = true
},
{
# both primary and specified secondary ranges
self_link = "projects/${var.project_id}/regions/${var.region}/subnetworks/net-2"
all_ranges = false
+ primary_range = true
+ secondary_ranges = ["pods"]
+ },
+ {
+ # secondary range only
+ self_link = "projects/${var.project_id}/regions/${var.region}/subnetworks/net-3"
+ all_ranges = false
+ primary_range = false
secondary_ranges = ["pods"]
}
]
@@ -177,21 +186,21 @@ module "nat" {
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
-| [name](variables.tf#L92) | Name of the Cloud NAT resource. | string | ✓ | |
-| [project_id](variables.tf#L97) | Project where resources will be created. | string | ✓ | |
-| [region](variables.tf#L102) | Region where resources will be created. | string | ✓ | |
+| [name](variables.tf#L107) | Name of the Cloud NAT resource. | string | ✓ | |
+| [project_id](variables.tf#L112) | Project where resources will be created. | string | ✓ | |
+| [region](variables.tf#L117) | Region where resources will be created. | string | ✓ | |
| [addresses](variables.tf#L17) | Optional list of external address self links. | list(string) | | [] |
| [config_port_allocation](variables.tf#L23) | Configuration for how to assign ports to virtual machines. min_ports_per_vm and max_ports_per_vm have no effect unless enable_dynamic_port_allocation is set to 'true'. | object({…}) | | {} |
-| [config_source_subnetworks](variables.tf#L39) | Subnetwork configuration. | object({…}) | | {} |
-| [config_timeouts](variables.tf#L54) | Timeout configurations. | object({…}) | | {} |
-| [endpoint_types](variables.tf#L67) | Specifies the endpoint Types supported by the NAT Gateway. Supported values include: ENDPOINT_TYPE_VM, ENDPOINT_TYPE_SWG, ENDPOINT_TYPE_MANAGED_PROXY_LB. | list(string) | | null |
-| [logging_filter](variables.tf#L86) | Enables logging if not null, value is one of 'ERRORS_ONLY', 'TRANSLATIONS_ONLY', 'ALL'. | string | | null |
-| [router_asn](variables.tf#L107) | Router ASN used for auto-created router. | number | | null |
-| [router_create](variables.tf#L113) | Create router. | bool | | true |
-| [router_name](variables.tf#L119) | Router name, leave blank if router will be created to use auto generated name. | string | | null |
-| [router_network](variables.tf#L125) | Name of the VPC used for auto-created router. | string | | null |
-| [rules](variables.tf#L131) | List of rules associated with this NAT. | list(object({…})) | | [] |
-| [type](variables.tf#L151) | Whether this Cloud NAT is used for public or private IP translation. One of 'PUBLIC' or 'PRIVATE'. | string | | "PUBLIC" |
+| [config_source_subnetworks](variables.tf#L39) | Subnetwork configuration. | object({…}) | | {} |
+| [config_timeouts](variables.tf#L69) | Timeout configurations. | object({…}) | | {} |
+| [endpoint_types](variables.tf#L82) | Specifies the endpoint Types supported by the NAT Gateway. Supported values include: ENDPOINT_TYPE_VM, ENDPOINT_TYPE_SWG, ENDPOINT_TYPE_MANAGED_PROXY_LB. | list(string) | | null |
+| [logging_filter](variables.tf#L101) | Enables logging if not null, value is one of 'ERRORS_ONLY', 'TRANSLATIONS_ONLY', 'ALL'. | string | | null |
+| [router_asn](variables.tf#L122) | Router ASN used for auto-created router. | number | | null |
+| [router_create](variables.tf#L128) | Create router. | bool | | true |
+| [router_name](variables.tf#L134) | Router name, leave blank if router will be created to use auto generated name. | string | | null |
+| [router_network](variables.tf#L140) | Name of the VPC used for auto-created router. | string | | null |
+| [rules](variables.tf#L146) | List of rules associated with this NAT. | list(object({…})) | | [] |
+| [type](variables.tf#L166) | Whether this Cloud NAT is used for public or private IP translation. One of 'PUBLIC' or 'PRIVATE'. | string | | "PUBLIC" |
## Outputs
diff --git a/modules/net-cloudnat/main.tf b/modules/net-cloudnat/main.tf
index b5fc4a6ce..2c6d8eb67 100644
--- a/modules/net-cloudnat/main.tf
+++ b/modules/net-cloudnat/main.tf
@@ -100,7 +100,12 @@ resource "google_compute_router_nat" "nat" {
subnetwork.value.all_ranges == true
? ["ALL_IP_RANGES"]
: concat(
- ["PRIMARY_IP_RANGE"],
+ (
+ subnetwork.value.primary_range
+ ? ["PRIMARY_IP_RANGE"]
+ : []
+ )
+ ,
(
subnetwork.value.secondary_ranges == null
? []
diff --git a/modules/net-cloudnat/variables.tf b/modules/net-cloudnat/variables.tf
index 08b4d3774..88fe1cb83 100644
--- a/modules/net-cloudnat/variables.tf
+++ b/modules/net-cloudnat/variables.tf
@@ -44,11 +44,26 @@ variable "config_source_subnetworks" {
subnetworks = optional(list(object({
self_link = string
all_ranges = optional(bool, true)
+ primary_range = optional(bool, false)
secondary_ranges = optional(list(string))
})), [])
})
nullable = false
default = {}
+ validation {
+ condition = alltrue([
+ for s in var.config_source_subnetworks.subnetworks :
+ (s.all_ranges == true) != ((s.primary_range == true) || try(length(s.secondary_ranges), 0) > 0)
+ ])
+ error_message = "Either config_source_subnetworks.subnetworks.all_ranges is true or one of primary_range or secondary_ranges must be defined."
+ }
+ validation {
+ condition = (
+ (var.config_source_subnetworks.all == true ||
+ var.config_source_subnetworks.primary_ranges_only == true) != (length(try(var.config_source_subnetworks.subnetworks, [])) > 0)
+ )
+ error_message = "Cannot use config_source_subnetworks.all and config_source_subnetworks.primary_ranges_only together with config_source_subnetworks.subnetworks."
+ }
}
variable "config_timeouts" {